A breach isn’t just loss of data. It’s loss of time, loss of money, and loss of reputation. What happens when you have unauthorized access to protected health information?
1. Breach Investigation
An external organization must investigate the breach to identify the cause and ensure that unauthorized access to PHI has been blocked.
2. Remediation
A data breach places a considerable administrative burden on healthcare providers. Staff must issue notifications, update websites, field customer queries, and implement new safeguards.
3. Temporary Operational Changes
All the safeguards that should have been installed to prevent a breach must now be implemented, under the close scrutiny of the Office for Civil Rights.
4. Breach Notification Letters
Breach notification letters must be issued to all affected individuals by first class postage ($.49). Subsequent notifications may need to be sent with updated information.
5. Identity Theft Prevention
HIPAA requires covered entities to provide free credit protection monitoring and identity theft protection to all breach victims. The current cost is estimated to be $10 per individual, per month. These services must be offered for 1 to 2 years.
6. Regulatory Fines / Office for Civil Rights
The Office for Civil Rights issues financial penalties for HIPAA violations up to a maximum of $1.5M per year, per violation category. The highest fine issued to date was $16M for the Anthem breach of almost 79 million individuals.
7. Regulatory Fines / Attorney General’s Office
Attorney General’s Offices assist the OCR in policing HIPAA Privacy and Security rules. State AG offices are issuing fines for HIPAA breaches at a state level up to $25,000 per violation category.
8. Lost Business / Loss of Reputation
Providers can expect a churn rate of 5-6% following a data breach, while 65% of consumers would consider switching providers following a major HIPAA data breach.
9. Class Action Lawsuits
Anthem had 3 class action lawsuits filed in the first 24 hours after the breach. Class action lawsuits usually claim damages of $1,000 per victim. Negligence claims may also be filed against healthcare providers for exposing PHI.
10. Website / Helpline for Breach Victims
HIPAA requires covered entities to publish information on a company or dedicated website as well as provide victims with a free telephone number to allow them to obtain further information.
For more information on how your organization can avoid a costly HIPAA data breach contact us at info@nexa1.com
Sources: Ponemon Institute; Transunion; CFO.com; HHS.gov
